Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is There a Better Way to do UNIX Workgroups?

Posted by Cliff on from the reanalysing-traditional-solutions dept.

Pauly asks: "Here I am again setting up a new workgroup of UNIX workstations and servers in the traditional office arrangement. By traditional I mean many clients being authenticated by a naming service and mounting homedirs and other shares handled by centralized file servers. I can't help thinking there has to be a better way to do this. Even though this particular LAN is behind a reasonable firewall, I don't feel that NIS/NFS (and their derivatives) are designed securely enough for today's world. Even though I have gone to great lengths to secure the dmz, it just feels wrong to ignore the internal network. I don't have any legacy application or system requirements to keep me tied to NIS/NFS. All the clients will be OpenBSD, FreeBSD or Linux machine. Therefore, I am free to use the best-of-breed tools available today. So I ask: How would you implement the traditional UNIX workgroup today and which of the latest and greatest tools available would you use?"

4 of 40 comments (clear)

  1. Re:Yes there is by jslag · · Score: 2, Insightful
    * Make sure you use a switched network, so that nobody can sniff traffic or engage in ARP spoofing.


    Isn't the whole point of arp spoofing, that it allows sniffing despite switches?

  2. Re:Yes there is by wfrp01 · · Score: 3, Insightful

    Use NFS tunneled over SSH for file distribution.

    If you have linux clients, what's to prevent me from mounting any user's data that I want? I pop in a Linux boot CD, become root, read the necessary ssh private/public key data. Then I become any user I like, and mount away.

    --

    --Lawrence Lessig for Congress!
  3. Re:Yes there is by Artana+Niveus+Corvum · · Score: 2, Insightful

    But again you have to remember that if the person is determined enough and brave enough to walk up to the server, what's to prevent them from taking a screwdriver to reset the bios settings (and erase those passwords). You have to stop worrying at some point because this string of logic goes on forever.

    --
    -----------------------------------------
    Remove the Greed which plagues mankind.
  4. Re:Yes there is by wfrp01 · · Score: 3, Insightful

    Although not foolproof, BIOS/FIRMWARE password to prevent floppy/CD booting is key.

    I should have been more clear. The problem isn't the client, it's the protocol. NFS is inherently insecure. Sure, you can BIOS protect your workstations. But you can't bios protect my laptop. You can't stop me from spoofing my mac address, my ip address, etc.

    Now you're right, of course, that most people can't/won't do this. On the other hand, what are you trying to protect? When your boss asks "is this secure?", what do you say? Remember too, that you don't have be much of a whiz to do a google search.

    Are you going to export your accounting folder? How about HR stuff? There are good (well, maybe 'good' isn't the right word... ;) reasons people would want at the information therein. It really doesn't take a lot of effort to get it, if you're using NFS.

    --

    --Lawrence Lessig for Congress!